Keeper Security’s Baseless UDRP Complaint: A Dangerous Attempt at Domain Hijacking

In a recent UDRP case, Keeper Security, Inc. filed a complaint against the long-standing owner of keeper.com in what can only be described as a brazen attempt at domain hijacking. This misuse of the UDRP process is not only unethical but also threatens the integrity of the entire domain name system.

Complainant Tried to Steal Keeper.com

Keeper Security, operating from keepersecurity.com, sought to upgrade to the more valuable keeper.com through illegitimate means.

Facts in keeper.com WIPO Complaint

The facts of the case clearly show why this complaint was baseless:

The keeper.com domain was registered in 1995, long before Keeper Security even existed (founded in 2009).

The domain had been used for a legitimate business for many years.

Keeper Security’s trademark rights only began in 2009, 14 years after the domain registration.

Analysis of Keeper.com UDRP Decision

These facts alone should have prevented any responsible party from filing a UDRP complaint. While the Complainant contends that the bad faith registration requirement is satisfied here because an unknown and unnamed bad actor somehow hijacked the Disputed Domain Name in recent years to distribute malware, the bad faith registration requirement simply cannot be met in such circumstances.

Keeper.com Is a Multi-Million Dollar Domain Name

What makes this attempt particularly egregious is the potential value of keeper.com. As a short, generic one-word .com domain, it likely carries a seven-figure value. Looking at DNJournal’s list of top domain sales, we see comparable examples:

  • Voice.com sold for $30 million
  • Chat.com sold for $15.5 million
  • Connect.com sold for $10 million
  • Gold.com sold for $8.5 million
  • Toys.com sold for $5.1 million
  • Clothes.com sold for $4.9 million

Given these comparables, keeper.com could easily be worth over $1 million. Keeper Security’s complaint, therefore, amounts to an attempt at grand theft of a highly valuable digital asset.

Investigation of Keeper.com Domain Name

I visited securitytrails.com and discover that the domain name has used the same NS (name server) setting for the past 16 years, so whatever is happening, wasn’t because the domain name owner’s actions. Any website can be compromised and most mature websites have been compromised at some point over the past 30 years.

Instead of pursuing this misguided UDRP action, Keeper Security should have focused on legitimate means to address their concerns:

  1. If there were genuine malware issues, contacting the hosting provider (Hostgator) would have been more appropriate and effective. https://newfold.com/abuse
  2. If they truly desired the domain, they could have attempted to negotiate a purchase with the rightful owner by hiring an experienced domain broker.

Domain owners, registrars, and ICANN must remain vigilant against such blatant misuse of dispute resolution procedures. The UDRP was designed to combat cybersquatting, not to serve as a shortcut for companies to upgrade their domain names at the expense of legitimate prior registrants.

The keeper.com UDRP decision was correctly decided for the following key reasons:

1. Bad Faith Registration Not Established:

The domain <keeper.com> was registered in 1995, long before the Complainant (Keeper Security, Inc.) acquired rights to the KEEPER mark in 2009. The panel correctly applied the principle that when a domain is registered before a complainant’s trademark rights accrue, bad faith registration is generally not found (WIPO Overview 3.0, section 3.8.1).

2. No Authority for Liability Regarding Third Party Actor:

While there was evidence of malware being distributed from the website, the Complainant failed to provide sufficient evidence that the domain itself had been hijacked or transferred to a bad actor. The panel rightly distinguished between website infection and domain name control.

3. Renewal Does Not Constitute Registration:

The panel correctly noted that domain renewal does not constitute a new registration under the UDRP (WIPO Overview 3.0, section 3.9).

4. Bad Faith Use Alone Is Insufficient:

The panel accurately applied the principle that even if bad faith use is established, it is not enough to satisfy the UDRP requirements if bad faith registration is not proven (citing Fieldd Pty Ltd v. Jessica Duarte, WIPO Case No. D2022-4980).

Cases and WIPO Principles Cited:

1. WIPO Overview 3.0, section 1.7:

Discusses the “reasoned but relatively straightforward comparison” between the complainant’s trademark and the disputed domain name for the first UDRP element.

2. WIPO Overview 3.0, section 1.2.1:

Addresses what rights in a trademark are sufficient for the purposes of the UDRP.

3. WIPO Overview 3.0, section 3.8.1:

States that panels will not normally find bad faith when a domain is registered before the complainant’s trademark rights accrue.

4. WIPO Overview 3.0, section 3.9:

Discusses how the transfer date of a domain can be treated as the registration date in certain circumstances (not applicable in this case).

5. WIPO Overview 3.0, sections 2.13 and 3.4:

Address bad faith use in relation to malware distribution.

6. Fieldd Pty Ltd v. Jessica Duarte, WIPO Case No. D2022-4980:

Cited to support the principle that bad faith use alone is insufficient if bad faith registration is not established.

The panel’s decision demonstrates a careful application of UDRP principles, particularly in distinguishing between bad faith registration and bad faith use, and in recognizing the limitations of the UDRP in addressing certain types of domain name disputes.